Look at /etc/sysctl.conf, you need to set net.inet.esp.enable and net.inet.ah.enable to 1 to allow IPsec (as the man page says). -Angelos